Session Help and some explanation

**aehrensberger** · Oct 10th, 2012, 10:44 AM

Hi all,

Can someone explain session management to me a bit please (or provide me with some additional reading).

I am currently playing with the ConcurrentSessionControlStrategy and have set the maximum sessions value to 1 and 2, but I see 0 differences between the behavior of my application.

Using chrome, I launch a form login and login with 'admin'. I then open a second tab and login again. A second session ID is created and I can once again login with 'admin'. Now, from the second window, if I logout, I'm booted out of both windows.

The strange thing, to me, is that the behavior is consistent whether I change that concurrency setting to 1 or 2. If I 'support' more than I session, why would the second window log me out of the first?

Thanks for the help,

Aaron

**aehrensberger** · Oct 10th, 2012, 02:33 PM

I guess, to take it one step further...

Can Spring Security, in any shape or form, give me the ability to:

- launch login form A in chrome (tab A)
- launch login form B in chrome (new tab B)

Login as user A in form A in tab A. Login as user B in form B in tab B.

Go to tab A and hit refresh - and I'm logged in as user B. User B's login clobbers user A and takes over. Is there any way to have both tabs work as two distinct browsers? I don't believe there is, is there?

Can anybody just confirm that there is or isn't a way to do that?

Thanks.

**Marten Deinum** · Oct 11th, 2012, 01:32 AM

A tab isn't a new window a tab copies the session state and cookies... So basically you are still loggedin once... Startup chrome and firefox and try again...

Is there any way to have both tabs work as two distinct browsers

Well see above

... Also a new tab (CTRL+T) and a new window (CTRL+N) basically have the same behavior you really need to start a fresh browser.

**aehrensberger** · Oct 11th, 2012, 07:35 AM

Thank you for confirming that and explaining it nicely.

Taking it the next step - would it be possible to disable cookies in some way for my app and pass across the sessionID on each request, thereby taking the logic to handle these different requests into the app and managing the sessions that way? I'm not really asking for a 'here's how you'd do it' answer, but wondering if anybody has explored this option in the past?

**Marten Deinum** · Oct 11th, 2012, 07:41 AM

You could but that opens up your application to session hijacking...You can instruct your app server to disable cookies for the session id and use the request. The drawback is that each request needs to have the sessionidentifier... (and as that is in the url makes you vulnerable).

**aehrensberger** · Oct 11th, 2012, 07:43 AM

Very good. Thanks for the quick reply.

Thread: Session Help and some explanation

Thread Tools

Display

Session Help and some explanation

...in a nutshell

Posting Permissions